Attorney-General expects cops to issue assistance notices on encryption Bill assent
Australian Attorney-General Christian Porter has said he expects agencies such as the Australian Security Intelligence Organisation (ASIO), Australian Federal Police (AFP), and state police forces to quickly make use of the provisions contained in the Assistance and Access Bill.
Under the proposed law, Australian government agencies would be able to issue three kinds of notices:
- Technical Assistance Notices (TAN), which are compulsory notices for a communication provider to use an interception capability they already have;
- Technical Capability Notices (TCN), which are compulsory notices for a communication provider to build a new interception capability, so that it can meet subsequent Technical Assistance Notices; and
- Technical Assistance Requests (TAR), which have been described by experts as the most dangerous of all.
“As soon as the legislation is proclaimed, it would be open for the AFP or ASIO or NSW Police to send a notice off to Microsoft or the manufacturers of the WhatsApp application and seek their assistance if they thought that that was reasonable and necessary,” Porter told Sky News on Wednesday.
“There are a lot of safeguards and protections built into the Act, but it’s a critical power to have and the power will be used.”
Porter also told Channel 9 that the powers are only about targeting individuals suspected of terrorism, homicide offences, serious drug offences, and serious child sex offences.
“In serious individual specific cases, and this law has a very clear provision in it that nothing in the nature of systemic weaknesses across multiple phones can be created.”
“Custom firmware built to address one notice or request is not a systemic weakness unless it is deployed to users other than the targeted user,” the department said.
“So long as the capability is held in reserve, it does not jeopardise the security of other users and is not a systemic weakness.”
On Tuesday afternoon, the Coalition government and Labor opposition agreed to a deal to have the legislation pass Parliament this week before it rises for the summer break.
“The changes include limiting the application of the powers in this Bill to only serious offences, properly defining key terms in the Bill, and requiring a ‘double-lock’ authorisation process for Technical Capability Notices,” Shadow Attorney-General Mark Dreyfus said on Tuesday.
“This Bill is far from perfect, and there are likely to be significant outstanding issues, but this compromise will deliver security and enforcement agencies the powers they say they need over the Christmas period, and ensure adequate oversight and safeguards.”
Under the double-lock mechanism, the attorney-general and communications minister would need to authorise a TCN, and where there was a dispute over whether such a notice would create a systemic weakness, this would be determined by a former judge and a technical expert.
“Labor has spent five years responsibly improving national security legislation to make Australians safer, and we have done the same thing today,” Dreyfus proudly boasted.
Speaking to journalists on Tuesday afternoon, Porter said the Bill would contain a definition of systemic weakness, which is one of the few clauses that allows tech companies to refuse to comply.
“In the United Kingdom, they have much tougher laws than here, the sky hasn’t fallen, people aren’t rioting in the streets of the UK saying their rights have been infringed,” he said.
“That is also a parliamentary democracy where people expect to be protected by the law so that their privacy and security is protected. But that doesn’t mean that criminals should have their privacy and security protected, and that is what this law does.”
Telecommunication industry group Communications Alliance said the deal made by the major parties left dangerous loopholes open.
“It appears that nothing will be done to limit the powers available to agencies via Technical Assistance Notices, which are just as dangerous as TCNs but operate with much less oversight and with fewer protections,” Comms Alliance CEO John Stanton said.
Stanton added that TANs do not require approval by the attorney-general, have no consultation period, and can be issued and subsequently varied by delegated officers of interception agencies.
“There is a real risk that while much is being made of additional protections around TCNs, agencies will simply exploit this loophole in the Bill to direct their activities via TANs instead,” he said.